My domain is: cloud.aslanfrench.work

My web server is (include version): nginx version: nginx/1.20.1

The operating system my web server runs on is (include version):Ubuntu 20

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

I am not a dev. I'm a designer who dabbles with self hosting a personal Nextcloud server at home so you will have to forgive me if I'm not particularly skilled in this stuff.

I self host a personal Nextcloud server on an old desktop in my closet.

I recently moved into a new apartment. After going on my domain provider (Dreamhost) and switching my subdomain (cloud.aslanfrench.work) to point to my new IP (192.168.1.202).

For awhile that worked, but in the last couple of days I noticed that everytime I tried to connect to my cloud server I would get an SSL cert error. The nextcloud android and desktop client has the option to ignore this but if I try and access stuff through the web client, the browser gives me a big fat "No Can Do"

So I got on my server and started checking around.

First odd thing... certbot doesn't appear to be installed on my machine anymore. I haven't messed with certbot in probably at least a year. At some point in the last two years I've completely reinstalled my nextcloud server. The last time I did that I'm pretty sure I set up certbot. I had to have right, since I'm just now getting these SSL errors... but then why isn't certbot installed???

Anyway I go to the certbot website and I start going through the process. I install it via snapd etc. When I try running the command to make the cert, it asks me for my email. I give it, and then it seems to remember that cloud.aslanfrench.work was a cert or something?

Anyway I can't give the proper error message it gave me because I restarted my machine and now whenever I run the command I get the following:

[sudo] password for aslan: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cloud.aslanfrench.work
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.aslanfrench.work
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So I guess I gotta wait and try again. I will update this thread with more info as I get it but I'm hoping someone can make sense of this weirdness or has a clue what I'm doing wrong.

Hi @jcklpe and welcome to the LE community forum

This is a problem:

You need a functional HTTP site before you can secure it (via HTTP authentication).
IPs in the 192.168.0.0/16 network are NOT routable over the Internet - no one can reach your site (outside of your appt.).

Try:
which certbot
then, if that shows anything:
certbot certificates

That means you are testing with the production server.
Try adding the flag for testing "--dry-run" to your certbot request.
[after you update the IP and ensure the router is port forwarding HTTP & HTTPS to your server]

Hi thanks for replying.

Okay yeah that makes sense. I remember having heard that before.

I think I need my public ip4 then right? In that case I think that's 136.49.246.64 ? (at least according to a quick website check, and a check on my router)

But when I enter that into the url I get no connection. With the 192 number I get my nginx splash screen, so I know the server is running locally.

Do you want to serve the site to anyone on the Internet?

yes, that' is something I'd like to be able to do.

Then the first thing you need to do is to update the DNS zone from:

Name:    cloud.aslanfrench.work
Address: 192.168.1.202

To:

Name:    cloud.aslanfrench.work
Address: 136.49.246.64

[and if that new IP can change, then you may need use a DDNS client to keep that IP updated]

A DDNS is a dedicated DNS right? It's so that the the IP doesn't change a bunch. I'm lucky and have Google Fiber and it doesn't actually change IP that often.

I have changed the DNS to point to the right IP. I didn't do that already because I thought: "why isn't 136.49.246.64 but the internal IP is?"

But I have just now remembered that my nginx sorts incoming traffic by the subdomain used through a reverse proxy config, so maybe now that my DNS is pointing cloud.aslanfrench.work to the correct location, it will work. We'll see. I have told the DNS to refresh and I'll check back in an hour or two once it's propagated.

EDIT:

DNS says it's already propogated. Going to cloud. gives the ssl cert error. I run the certbot command and I gettt the following:

└─➤ sudo certbot --nginx
[sudo] password for aslan: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cloud.aslanfrench.work
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.aslanfrench.work

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: cloud.aslanfrench.work
  Type:   connection
  Detail: Fetching http://cloud.aslanfrench.work/.well-known/acme-challenge/UymF3R66cj_t6qFv8buIW19xkX5muMYSg-ER0xGOn74: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

is it safe to share the log contents here? I checked them yesterday and it appears to contain my entire nginx config within the log.

The "D" in front of DNS is for Dynamic.

If it can change at all, you should use a DDNS client which can keep the IP updated.

Generally yes, although using the --nginx plugin will alter the nginx config and that can be reflected in the log files.
I don't really think we need to see that log file to understand what has gone wrong in this case:
http://cloud.aslanfrench.work/ fails to reach your nginx server.

I get:

curl -Ii http://cloud.aslanfrench.work/
curl: (56) Recv failure: Connection reset by peer

Sorry, what does that mean? I'm googling it but finding a lot of different stuff. Does this mean my router port isn't open and it's being refused or something like that?

There is no way for anyone here to know exactly why is doesn't work.

You'll probably also need to forward port 80 on the router to port 80 on your web server, and port 443 on the router to port 443 on your web server.

I would assume what I have is valid since it was previously valid and can still be accessed locally using the internal ip right?

I guess I should take this to the nextcloud forum since this isn't a letsencrypt issue. Thank you for the help.

I double checked and I still have my port forwarding settings on my router. Thanks for the help. I'll check in with nextcloud people for the rest. Have a nice day!

I double checked my ports again and I noticed that the port forwarding was only set up for my server via a wired connection, whereas my server is now connected by wifi in my new apartment due to the ISP hook up being in the bathroom for some reason.

So I updated the port forwarding for the router to point to the wifi and it appears to have worked. Or at least when I go to https://cloud.aslanfrench.work I get a SSL cert error instead of a refused connection, which matches what happened when I had the DNS pointing to the internal IP.

So now it works except for the broken SSL.

With that in mind I ran certbot again and geto the following response:

blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.aslanfrench.work

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: cloud.aslanfrench.work
  Type:   connection
  Detail: Fetching http://cloud.aslanfrench.work/.well-known/acme-challenge/ChvbUe1FL8m9brA2C7rwtJr3cziVTD3gjZqfaWP2sQ0: Connection refused

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

You should check your port 80 forwarding. I can see your site with https but I cannot see your site with http. The msg about expired cert could not occur without at least seeing your site. The http never gets to your site.

My tests:

curl -I cloud.aslanfrench.work
curl: (7) Failed to connect to cloud.aslanfrench.work port 80: Connection refused

curl -I https://cloud.aslanfrench.work
curl: (60) SSL certificate problem: certificate has expired

Hopefully this is not your ISP blocking port 80 (some do).

Also see:
https://decoder.link/sslchecker/cloud.aslanfrench.work/443

That website is really useful!

And your post was very helpful.

I double checked again and while I properly moved over the 8080 port forwarding I missed the 80 port.

I have corrected this but when I use the namecheap tool it still says handshake failed.

I have my nginx set up with a reverse proxy that forwards all port 80 traffice to https.

nextcloud.conf looks like this:

server {
	listen 80;
	listen [::]:80;	
	server_name cloud.aslanfrench.work;
	location /.well-known/acme-challenge {
		root /var/www/letsencrypt;
		default_type "text/plain";
		try_files $uri =404;
	}
	location / {
		return 301 https://$server_name:443;
	}
}

As you can see with the Location it forwards everything to 443. So is the issue here something to do with that?

It works as written; But the forwarding doesn't need the ":443".
Instead try using:
return 301 https://$host$request_uri;

What is the pending "issue" exactly?
What "handshake"?

This is what it shows me:

https://decoder.link/sslchecker/cloud.aslanfrench.work/80

image2659×1446 119 KB

It says

Handshake failed, we haven't received any certificates from the requested server.

I don't know what that means. I would assume it means that they tried to grab the certs, and then didn't get them. Makes sense it couldn't get certs because certbot hasn't made them. But then why isn't certbot working when I run it? Earlier it appeared to be a connection issue but now I've set up the port forwarding correctly.

I tried running curl on the connection myself but I get no response from CLI. Not even an error response.

Try port 443. That is for https. Port 80 is used for http which has no certificate

443 works fine:

image2809×1470 125 KB

But when I run certbot it gives me this error: